It was reported to firstname.lastname@example.org that the autofs defaults do not set the
nodev NFS option.
bug 410031 notes the missing nosuid option by default for the /net autofs
filesystems, the fix for that issue did not take into account that there was
also a missing nodev option for these filesystems.
Without the nodev option, it is possible for an attacker to mount a remote
filesystem which could give them access to various devices that should normally
have restricted access, such as /dev/mem, and various hardware devices.
Red Hat would like to thank Tim Baum for reporting this issue.
Fixed now in affected version of Red Hat Enterprise Linux:
Updates now available also in stable Fedora repositories: